fix(deps): vuln dompurify (minor → 3.4.2) [ui/lib]

[gh-worker-campaigns-3e9aa4]

Summary: Security update — 1 package upgraded (MINOR changes included)

Manifests changed:

• ui/lib (yarn)

---

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.

---

Updates

Package	From	To	Type	Dep Type	Vulnerabilities Fixed
dompurify	3.2.6	3.4.2	minor	Direct	11 MODERATE

---

Security Details

ℹ️ Other Vulnerabilities (11)

Package	CVE	Severity	Summary	Unsafe Version	Fixed In
dompurify	GHSA-v9jr-rg53-9pgp	MODERATE	DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback	3.2.6	3.4.0
dompurify	GHSA-cj63-jhhr-wcxv	MODERATE	DOMPurify USE_PROFILES prototype pollution allows event handlers	3.2.6	3.3.2
dompurify	GHSA-cjmm-f4jc-qw8r	MODERATE	DOMPurify ADD_ATTR predicate skips URI validation	3.2.6	3.3.2
dompurify	GHSA-v8jm-5vwx-cfxm	MODERATE	DOMPurify contains a Cross-site Scripting vulnerability	3.2.6	3.2.7
dompurify	CVE-2025-15599	MODERATE	-	3.2.6	-
dompurify	GHSA-crv5-9vww-q3g8	MODERATE	DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode	3.2.6	3.4.0
dompurify	GHSA-39q2-94rc-95cp	MODERATE	DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation	3.2.6	3.4.0
dompurify	GHSA-v2wj-7wpq-c8vv	MODERATE	DOMPurify contains a Cross-site Scripting vulnerability	3.2.6	3.3.2
dompurify	CVE-2026-0540	MODERATE	-	3.2.6	-
dompurify	GHSA-h7mw-gpvr-xq4m	MODERATE	DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)	3.2.6	3.4.0
dompurify	GHSA-h8r8-wccr-v5f2	MODERATE	DOMPurify is vulnerable to mutation-XSS via Re-Contextualization	3.2.6	3.3.2

---

Review Checklist

Standard review:

• Review changes for compatibility with your code
• Check for breaking changes in release notes
• Run tests locally or wait for CI
• Approve and merge this PR

---

Update Mode: Vulnerability Remediation

🤖 Generated by DataDog Automated Dependency Management System